Session:「Trust and Security in Practice」

What Did I Really Vote For?

論文アブストラクト：
E-voting has been embraced by a number of countries, delivering benefits in terms of efficiency and accessibility. End-to-end verifiable e-voting schemes facilitate verification of the integrity of individual votes during the election process. In particular, methods for cast-as-intended verification enable voters to confirm that their cast votes have not been manipulated by the voting client. A well-known technique for effecting cast-as-intended verification is the Benaloh Challenge. The usability of this challenge is crucial because voters have to be actively engaged in the verification process. In this paper, we report on a usability evaluation of three different approaches of the Benaloh Challenge in the remote e-voting context. We performed a comparative user study with 95 participants. We conclude with a recommendation for which approaches should be provided to afford verification in real-world elections and suggest usability improvements.

論文アブストラクト：
Many of the security problems that people face today, such as security breaches and data theft, are caused by security vulnerabilities in application source code. Thus, there is a need to understand and improve the experiences of those who can prevent such vulnerabilities in the first place - software developers as well as application security experts. Several studies have examined developers' perceptions and behaviors regarding security vulnerabilities, demonstrating the challenges they face in performing secure programming and utilizing tools for vulnerability detection. We expand upon this work by focusing on those primarily responsible for application security - security auditors. In an interview study of 32 application security experts, we examine their views on application security processes, their workflows, and their interactions with developers in order to further inform the design of tools and processes to improve application security.

An Experience Sampling Study of User Reactions to Browser Warnings in the Field

論文アブストラクト：
Web browser warnings should help protect people from malware, phishing, and network attacks. Adhering to warnings keeps people safer online. Recent improvements in warning design have raised adherence rates, but they could still be higher. And prior work suggests many people still do not understand them. Thus, two challenges remain: increasing both comprehension and adherence rates. To dig deeper into user decision making and comprehension of warnings, we performed an experience sampling study of web browser security warnings, which involved surveying over 6,000 Chrome and Firefox users in situ to gather reasons for adhering or not to real warnings. We find these reasons are many and vary with context. Contrary to older prior work, we do not find a single dominant failure in modern warning design---like habituation---that prevents effective decisions. We conclude that further improvements to warnings will require solving a range of smaller contextual misunderstandings.

Forgotten But Not Gone: Identifying the Need for Longitudinal Data Management in Cloud Storage

論文アブストラクト：
Users have accumulated years of personal data in cloud storage, creating potential privacy and security risks. This agglomeration includes files retained or shared with others simply out of momentum, rather than intention. We presented 100 online-survey participants with a stratified sample of 10 files currently stored in their own Dropbox or Google Drive accounts. We asked about the origin of each file, whether the participant remembered that file was stored there, and, when applicable, about that file's sharing status. We also recorded participants' preferences moving forward for keeping, deleting, or encrypting those files, as well as adjusting sharing settings. Participants had forgotten that half of the files they saw were in the cloud. Overall, 83% of participants wanted to delete at least one file they saw, while 13% wanted to unshare at least one file. Our combined results suggest directions for retrospective cloud data management.